The commit 556acaa message said "The minimum digest size is set to half of the curve's field size." However , I did not find any requirement description about this. On the contrary, some applications may use "improper" digest with larger curves.
For example, XML Signature allows SHA256 to be combined with P-256 even P-521 curve. While I was signing the digest, bits2field (01c547e) emitted error because of the constraints. The current workaround for me is, to fill the most significant bits zero until prehash lengths enough. I hope there will be ways to natively support this.
The commit 556acaa message said "The minimum digest size is set to half of the curve's field size." However , I did not find any requirement description about this. On the contrary, some applications may use "improper" digest with larger curves.
For example, XML Signature allows SHA256 to be combined with P-256 even P-521 curve. While I was signing the digest,
bits2field(01c547e) emitted error because of the constraints. The current workaround for me is, to fill the most significant bits zero untilprehashlengths enough. I hope there will be ways to natively support this.